More than 330,000 Medicare beneficiaries affected by MOVEit breach

In the latest revelations related to a Russian ransomware gang’s exploitation of the popular MOVEit file transfer service, a federal government agency revealed that more than 330,000 Medicare beneficiaries were affected by a sensitive data leak.

The U.S. Center for Medicare & Medicaid Services (CMS) provides health coverage to more than 160 million people through Medicare, Medicaid, the Children’s Health Insurance Program, and the Health Insurance Marketplace.

In a notice released Thursday, the organization said it was sending letters to those who may have been impacted by a corporate network breach of Maximus Federal Services, a CMS contractor that used Progress Software’s MOVEit Transfer .

The information consulted includes:

• Names
• Social Security Numbers
• Addresses
• Dates of birth
• Phone numbers
• Medicare Beneficiary Identifiers (MBI) or Health
• Insurance Claim Numbers
• Driver’s License Numbers and State Identification
• Numbers
• Medical history/notes (including medical record/account numbers, conditions, diagnoses, dates of service, images, treatments, etc.)
• Healthcare Provider and Prescription Information
• Health Insurance Claims and Policy/Subscriber Information

“CMS and Maximus Federal Services are notifying individuals with Medicare whose (personally identifiable information) may have been exposed that they are being offered free credit monitoring services for 24 months,” they said.

“This notice also contains information on how affected individuals can obtain a free credit report and, for individuals whose Medicare Beneficiary Identification Number may have been affected, information on receiving a new card Medicare with a new number.”

CMS provided a sample of the letter, which explains that Maximus “is among many organizations in the United States that have been impacted by the MOVEit vulnerability.”

They reiterated that no CMS systems were compromised and that only copies of files stored in the Maximus MOVEit application were accessed from May 27 to 31. Maximus notified CMS of the breach on June 2.

Maximus, an IT company that also provides services to U.S. student loan servicers and other government programs, confirmed in July that the information of up to 10 million people may have been accessed by hackers exploiting a MOVEit vulnerability in a regulatory filing with the US Securities and Exchange Commission (SEC).

Hundreds of critical organizations around the world have reported widespread data theft by Clop, a Russian-speaking ransomware gang. with proven experience to exploit bugs in file transfer software.

More than five months after the vulnerability was announced, the companies continue to notify state and federal regulators of violations related to the incident while investigations continue.

Just last week, the state of Maine confirmed that more than 1.3 million people were affected by the incident as several departments used the MOVEit tool.

Security company Emsisoft estimates that more than 62 million people and 2,000 organizations were affected by the MOVEit breaches. One of the lawyers in a class action against Progress Software previously told Recorded Future News that the breach was a “cybersecurity disaster of staggering proportions.”

Progress software said last month that it faces 58 class action lawsuits as well as federal, state and international investigations.

Brett Callow, a threat analyst at Emsisoft and a cybersecurity expert who has been following the MOVEit revelations for months, said the breach is a prime example of why U.S. cybersecurity officials are trying to promote the “Secure” initiative. By Design” – a concept in which cybersecurity is integrated. all links in the technology chain – are “absolutely essential to help make organizations less vulnerable”.

“The massive number of victims combined with the sensitivity of the data exposed means this is likely one of the most significant incidents of all time and illustrates that security can be very difficult and that even organizations with “With mature cybersecurity and robust protocols the place can be blindsided by attacks on the supply chain,” he said.

“There are many takeaways from this incident, but perhaps the most important is that we really need to focus on making sure software is more secure. Ultimately, it will always be very difficult to defend against attacks like those on the MOVEit platform. The key is to ensure that organizations don’t need to defend against them because the software they use is secure.

Jonathan Greig

Jonathan Greig is a breaking news reporter at Recorded Future News. Jonathan has worked as a journalist around the world since 2014. Before returning to New York, he worked for media outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.